U.S. hospitals and health systems are looking to invest more in cybersecurity after attacks rose during the pandemic, although tight budgets and a shortage of IT professionals may slow those efforts.

COVID-19 helped create a "perfect storm" of circumstances that left hospitals and health systems distracted and more vulnerable to cyberattacks, Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center, or H-ISAC, an organization of healthcare IT infrastructure operators, said in an interview.

Rising numbers of COVID-19 hospitalizations and the implementation of telehealth systems and remote working capabilities increased hospitals' "attack surface," according to John Riggi, the senior adviser for cybersecurity and risk at the American Hospital Association. An increase in temporary staff members who had to be added to IT systems also created risks.

"As we moved into COVID, the vast number of rapidly onboarding ... end users across the gamut of healthcare became an IT/security nightmare," Claire Reilly, senior clinical workflow specialist at healthcare security IT company Imprivata Inc., said in an interview.

Cyberattacks against healthcare companies have posed an increased risk during the COVID-19 pandemic, according to an October 2020 statement by the FBI. Software company VMware Inc.'s Carbon Black cybersecurity unit found that there were about 239.4 million attempted attacks against its healthcare clients in 2020 and cited a nearly 10,000% increase in attempts compared with the previous year. Though not all cybersecurity breaches are publicly disclosed by the U.S. Department of Health and Human Services, a report from data protection company Bitglass Inc. showed that actual breaches totaled 599 in 2020, a 55.1% increase from 2019.

Even before the pandemic, cyberattacks were on the rise. "The frequency, severity and sophistication of the attacks have increased dramatically, not only over the decades, of course, but also within the past five years even," Riggi, an FBI veteran, told S&P Global Market Intelligence.

Budget trends

Between 2019 and 2020, as attacks increased, most healthcare executives either maintained or cut their cybersecurity budgets, according to a 2020 Healthcare Information and Management Systems Society survey. However, more recent surveys suggest that the hospital industry plans to make security spending a priority.

451 Research reported in its January survey that 61.9% of healthcare respondents expected an IT budget increase in information security during 2021. A follow-up survey published in April found that 55.6% of healthcare respondents said security was a major investment area for digital technology strategy over the next 12 months, while 451's most recent findings, published in June, revealed that healthcare respondents expected a 20% IT budget increase on average in 2021 compared to 2020.

Health systems looking to hire cybersecurity professionals will find they are in short supply. According to Cyberseek, a partner of The National Initiative for Cybersecurity Education, the supply of cybersecurity workers in the healthcare and social assistance sector is "very low" when compared to demand, with almost 16,000 job openings for an employed workforce of close to 30,000.

"The first investment is in the culture of the organization, investing in the people, investing in a mindset so that the leadership and the board and the staff understand that cyberrisk is a reality," Riggi said.

Hospitals' cyber needs differ from other industries, 451 senior research analyst Daniel Kennedy said, as they have various connected devices throughout the organization that contain and transmit sensitive healthcare information.

"They're having a very specific issue, and it's around all the devices they have to manage that are unique in that environment," Kennedy said in an interview. "It's not like finance, where it's a bunch of workstations and laptops."

New customers

As hospitals turn their attention to the cybersecurity measures they have in place, security providers like McAfee Corp., Palo Alto Networks Inc., Microsoft Corp. and Cisco Systems Inc. are seeing their customers wake up to the threat. Palo Alto Networks' threat intelligence groups Unit 42 and Crypsis found that healthcare was the most targeted vertical by ransomware in 2020.

All industries have made inadequate investment in the prevention of cyberattacks over the last few years, said M. K. Palmore, former head of the Cyber Security Branch for FBI San Francisco and Palo Alto Networks' current chief security officer for the Americas. Increasing those investments will save hospitals and other healthcare organizations money in the long run.

"[There are] total cost of ownership benefits to investing in security early on as opposed to reacting to things that happen in the environment," Palmore said.

Not all hospitals and health systems, though, are in a position to increase spending on cybersecurity. A February 2021 report by the Chartis Center for Rural Health found that 46% of rural hospitals had a negative operating margin, compared to 39% in 2015, and that 453 rural hospitals were vulnerable to closure.

Moody's cyber data indicated that nonprofit hospitals' average spending on cyberrisk management is about 5% of the overall IT budget — trailing the utilities and banking sectors — although the American Hospital Association's Riggi said that some hospitals can spend as much as 10%.

"Nobody thinks about leaving the doors open or nobody would think twice about building a fence around a facility if they needed to," H-ISAC's Weiss said. "Why don't we take the same kind of look at things from a cyber perspective as well?"

Costs vary

Healthcare had the highest average cost of a data breach worldwide at $7.1 million, according to the 2020 Cost of a Data Breach report by the Ponemon Institute, an IT research organization, and International Business Machines Corp. A separate study by consumer-focused tech website Comparitech estimated that the cost of ransomware attacks on U.S. hospitals was $20.8 billion in 2020, based on 2017 research that showed a minute of downtime cost hospitals over $8,600 on average.

Universal Health Services Inc., one of the largest for-profit hospital chains in the U.S., reported that a 2020 cyberattack on its systems had a pretax impact of $67 million, largely due to lost operating income from a decrease in patient activity during this time. It was another financial setback after UHS and other hospital systems, such as HCA Healthcare Inc. and Tenet Healthcare Corp., had experienced declines in procedure and patient volumes due to COVID-19 as well as increases in labor spending due to a shortage of nurses.

Against these financial pressures and the complexity of implementing solutions, it's easy to see why cybersecurity has not been the priority it should be for some providers. "A big part of the challenge [for healthcare] is making the investments to begin with," Weiss said.